LX3JL/xlxd
1
0
Fork 0
mirror of https://github.com/LX3JL/xlxd.git synced 2025-12-06 07:42:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
xlxd/dashboard/changes.txt
Andy Taylor 1c241339bf Update Dashboard permissions
2025-10-14 14:40:53 +01:00

261 lines
7.8 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

xlx db v2.4.3
SECURITY UPDATE - All files updated to fix vulnerabilities
This release addresses multiple security vulnerabilities including XSS (Cross-Site Scripting),
command injection, path traversal, and SSRF (Server-Side Request Forgery) attacks.
Files Changed and Security Fixes:
- "functions.php"
* Added sanitize_output() and sanitize_attribute() helper functions for XSS prevention
* Added validate_callsign(), validate_module(), validate_protocol() input validation functions
* Replaced exec() call in GetSystemUptime() with secure file reading from /proc/uptime
* Added input validation and shell argument escaping to VNStatGetData()
* Added array bounds checking to ParseTime() to prevent errors on malformed input
- "class.interlink.php"
* Added input validation to SetName() - validates reflector name format
* Added input validation to SetAddress() - validates IP addresses and hostnames
* Added input validation to AddModule(), RemoveModule(), and HasModuleEnabled()
- "class.node.php"
* Added input validation in constructor for all parameters
* IP addresses validated with filter_var()
* Protocol validated against whitelist
* Callsign format validated with regex
* LinkedModule validated as single A-Z letter
- "class.parsexml.php"
* Added element name sanitization to prevent XML injection
- "class.peer.php"
* Added input validation in constructor for all parameters
* Same validation as class.node.php for consistency
- "class.reflector.php"
* Added path traversal prevention to SetXMLFile(), SetPIDFile(), and SetFlagFile()
* Added SSRF protection to CallHome() - blocks internal/private IP addresses
* Added validation to ReadInterlinkFile() to prevent path traversal
* Added XML entity encoding to PrepareInterlinkXML() and PrepareReflectorXML()
* Added URL validation to SetCallingHome()
* Added missing InterlinkCount(), GetInterlink(), and IsInterlinked() methods
- "class.station.php"
* Added input validation in constructor for all parameters
* Callsign format validation
* Module validation
- "modules.php"
* All output wrapped with sanitize_output() to prevent XSS
- "peers.php"
* All peer data output sanitized with sanitize_output() and sanitize_attribute()
* URL and callsign outputs properly escaped
- "reflectors.php"
* All XML element data sanitized before output
* Dashboard URLs and reflector names properly escaped
- "repeaters.php"
* Added input validation for filter parameters
* All node/repeater data sanitized before output
* Flag images and URLs properly escaped
* IP addresses sanitized
- "traffic.php"
* Added strict whitelist validation for interface parameter
* Interface names validated against configured list only
- "users.php"
* Added input validation for filter parameters
* All station/user data sanitized before output
* Callsigns, suffixes, and module names properly escaped
- "index.php"
* Added secure session configuration (HttpOnly, SameSite, Secure flags)
* Added security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy)
* Added whitelist validation for 'show' parameter
* Added validation for 'do' and 'callhome' parameters
* All configuration values sanitized before output to HTML
* JavaScript injection prevented in page refresh code
* All meta tags properly escaped
Security Vulnerabilities Fixed:
- XSS (Cross-Site Scripting) - All user input and XML data now properly escaped
- Command Injection - Removed unsafe exec() calls, added shell argument escaping
- Path Traversal - File paths validated and restricted to expected directories
- SSRF (Server-Side Request Forgery) - CallHome validates URLs and blocks internal IPs
- Session Hijacking - Added HttpOnly, SameSite, and Secure cookie flags
- XML Injection - Element names sanitized, content stripped of tags
xlx db v2.4.1
you can now hide the liveircddb menu button, if you are running your db in https.
- "config.inc.php
- "index.php"
xlx db v2.4.0
- "config.inc.php"
- "index.php"
- "js"
- "layout.css"
xlx db v2.3.9
redesign for the callinghome.php
- "config.inc.php"
- "index.php"
- "functions.php"
xlx db v2.3.8
add support for network traffic statistics via vnstat.
- "config.inc.php"
- "index.php"
- "functions.php"
add traffic.php
xlx db v2.3.7
add background color change on active page.
- "config.inc.php"
- "layout.css"
- "index.php"
xlx db v2.3.6
add xlx reflector version to calling home.
- "config.inc.php"
- "class.reflector.php"
xlx db v2.3.5
now the page refresh is now suspended until you leave the filte fields.
- "index.php"
- "users.php"
- "config.inc.php"
xlx db v2.3.4
add filter function to the dashboard. It can be enabled or disabled via the config.inc.php
- "index.php"
- "users.php"
- "config.inc.php" $PageOptions['UserPage']['ShowFilter'] added
- "layout.css"
xlx db v2.3.3
now displays always the correct module for the last heard station.
db v2.3.3 requires xlxd v1.4.1
- "class.station.php"
- "class.reflector.php"
- "users.php"
xlx db v2.3.2
add random id for nodes, to show the correct linked module for multiple nodes with
the same call signe linked to different modules.
- "class.node.php"
- "class.reflector.php"
- "users.php"
xlx db v2.3.1
- "config.inc.php" $CallingHome['InterlinkFile'] added
- "index.php" added support for interlink visualization
- "class.reflector.php" callingHome redisigned for interlink visualization
- "class.interlink.php" interlink visualization
xlx db v2.2.3
- "config.inc.php" $CallingHome['HashFile'] and $CallingHome['OverrideIPAddress'] added
- "index.php" supports new variables from config.inc.php
- "class.reflector.php" supports new variables from config.inc.php
- "country.csv " prefixes update
xlx db v2.2.2
This version is a major release with voluntary self-registration feature build in.
You need to edit the conf.inc.php to your needs.
On the first run your personal hash to access the database is place in the servers /tmp folder.
Take care to make a backup of this file because this folder is cleaned up after a server reboot.
This version is a major release
xlx db v2.1.6
With this version of the dashboard, serveral parameters
are free configurable.
Changes are made in "config.inc.php"
- "config.inc.php"
- "index.php"
- "users.php"
- "peers.php
- "repeaters.php"
xlx db v2.1.5
- "class.node.php" added "get prefix
- "repeaters.php" check for XRF or REF link
- "country.csv " prefixes update + gate symbol
- "flags" gate.png
xlx db v2.1.4
- "class.reflector.php" improved the flag search
- "country.csv" added serveral prefixes
- "flags" added Puerto Ricco and Åland Islands
xlx db v2.1.3
- "index.php" added support for multiradio repeaters
- "users.php" added support for multiradio repeaters
- "class.reflector.php" added support for multiradio repeaters
- "repeaters.php" added suffix "D" for "dongle"
xlx db v2.1.2
- "index.php" bugfix to correct an error if XLX name is equal to XLX000
xlx db v2.1.1
- "peers.php" added hyperlink to the peers ip address
xlx db v2.1.0
- "index.php"
button "Peers" added
button "Repeaters/Nodes" shows now the number of connected devices
moved XLX name, version and service uptime to improve view on mobile devices
- "class.peer.php" added
- "peers.php" added
- "repeaters.php" limits nodes show up to 100 nodes
xlx db v2.0.6
- "index.php" now reads out the XLX service uptime and not the server uptime
- "country.csv" prefixes update
- "class.reflector.php" flags showing improvements
- "users.php" limits user show up to 40 users
- "repeaters.php" limits nodes show up to 40 nodes
xlx db v2.0.5
- "class.reflector.php" extra callsign checking
Reference in a new issue View git blame Copy permalink